On Tuesday, February 16, 2016, the California Attorney General's Office released its Data Breach Report, analyzing the 657 data breaches reported to the Attorney General's office from 2012 to 2015. According to the report, the majority of the reported breaches were the result of security failures. Based on these findings, the Attorney General's report makes recommendations to organizations and, for the first time, addresses what constitutes "reasonable security measures" to protect personal information under California law.

Findings from Reported Data Breaches

Based on reported data, more than 49 million records pertaining to Californians were affected by data breaches between 2012 and 2015. Although the number of reported breaches remained constant from 2014 to 2015, the number of records at risk increased dramatically from 4.3 million in 2014 to more than 24 million in 2015.

More than half of the reported data breaches resulted from malware and hacking, but a significant number resulted from physical theft/loss (22 percent), errors (17 percent), or misuse by internal personnel (7 percent). Social Security numbers, health information, and financial information continue to be the types of data involved in most data breaches. The Attorney General predicts that cyber criminals will increasingly look to obtain Social Security numbers as retailers continue to transition away from magnetic stripe readers to chip-enabled payment cards.

Recommendations Regarding Reasonable Security Measures

The Data Breach Report is especially significant because it provides, for the first time, guidance from the Attorney General on what the California Department of Justice views as reasonable security measures under California law.[1] In the view of the Attorney General, organizations should, at minimum, implement the Center for Internet Security's Critical Security Controls (the "Controls"). The Data Breach Report adopts these Controls as the "minimum level of information security" that all organizations must meet and states that "the failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security."[2]

The Center for Internet Security's Controls include the following 20 controls:

Inventory of Authorized and Unauthorized Devices

Inventory of Authorized and Unauthorized Software

Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Continuous Vulnerability Assessment and Remediation

Controlled Use of Administrative Privileges

Maintenance, Monitoring, and Analysis of Audit Logs

Email and Web Browsing Protection

Malware Defenses

Limitation and Control of Network Ports, Protocols, and Services

Data Recovery Capability

Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Boundary Defense

Data Protection

Controlled Access Based on the Need to Know

Wireless Access Control

Account Monitoring and Control

Security Skills Assessment and Appropriate Training to Fill Gaps

Application Software Security

Incident Response and Management

Penetration Tests and Red Team Exercises

In addition to adopting the Controls, the report recommends that organizations use multifactor authentication not only to protect critical systems and data but also for consumer-facing online accounts. Many online consumers fail to create unique passwords for each account, making it easier for cyber thieves to hack into multiple accounts. Multifactor authentication, such as sending a passcode to the user's cell phone, would decrease such a risk.

The report further recommends that organizations, particularly health care organizations, use strong data encryption to protect personal information in transit. More than half of the breaches in the health care sector resulted from the failure to encrypt such information.

The report recommends placing fraud alerts on consumers' credit files when Social Security numbers or driver's license numbers are breached.

Finally, the report also recommended that "State policy makers should collaborate in seeking to harmonize state breach laws on some key dimensions. Such an effort could preserve innovation, maintain consumer protections, and retain jurisdictional expertise.

Although the Data Breach Report's findings are not surprising, its recommendations, particularly the adoption of the Center for Internet Security's Critical Security Controls, represent a significant development for organizations seeking to comply with California's data protection requirements.

California was the first state to enact data breach notification regulations, and the report's recommendations as to what constitutes "reasonable security" are likely to be adopted by other states. By defining "reasonable security," the California Attorney General is also sending a strong signal that we are going to see increased enforcement of California's data security statute.

The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.

CONSUMER WEBSITES

The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or should be formed by the use of this site. The attorney listings on the site are paid attorney advertisements. Your access of/to and use of this site is subject to additional Supplemental Terms.